Auth & Session Vulns

A practical guide to testing common authentication and session-related vulnerabilities in modern web applications. Session flaws, token mismanagement, logic bugs, and account takeover techniques.

16 Categories36 CommandsCopy Ready

Intro

Introduction

1 commands

1Modern applications rely heavily on sessions, tokens and identity checks. When implemented incorrectly, attackers may bypass restrictions or fully take over accounts.

A practical guide to testing common authentication and session-related vulnerabilities in modern web applications.

Case 1

1. Old Session Does Not Expire After Password Change

2 commands

1#1 Steps: If Browser B remains authenticated, the issue exists

Create an account → Login from two browsers → Change password in Browser A → Refresh Browser B

2Critical severity — session invalidation failure

Impact: An attacker with a stolen session can maintain access even after the victim changes their password.

Case 2

2. Failure to Invalidate Session on Logout

2 commands

1#1 Steps: If access is restored without login, session remains valid server-side

Login → Copy session cookies (EditThisCookie / Cookie Editor) → Logout → Restore copied cookies → Refresh

2High severity — missing server-side invalidation

Impact: Stolen cookies can be reused indefinitely.

Case 3

3. Browser Cache Weakness (Back Button)

4 commands

1#1 Steps: If sensitive data is still visible, cache controls are missing

Login → Visit sensitive pages (Profile, Billing, Settings) → Logout → Press browser Back button

2Medium severity — missing Cache-Control headers

Impact: Attackers on shared devices may access private user data.

3Header to prevent page caching

Cache-Control: no-store

4Additional cache prevention headers

Cache-Control: no-cache, Pragma: no-cache

Case 4

4. Email Verification Bypass

2 commands

1#1 Steps: If Email A becomes verified automatically, bypass exists

Register with Email A (don't verify) → Change email to Email B → Verify Email B → Change back to Email A

2Medium severity — verification logic flaw

Impact: Attackers may verify emails they do not own, leading to account abuse.

Case 5

5. Email Verification Swap Attack

2 commands

1#1 Steps: If Email B becomes verified, vulnerability exists

Register with Email A → Receive verification link → Change email to Email B → Click old link

2High severity — verification link tied to email, not user

Impact: Pre-account takeover, Domain verification bypass, Account abuse

Case 6

6-7. Password Reset Token Issues

3 commands

1#6 Old tokens remain valid after newer requests — token persistence

Request Reset Link 1 → Request Reset Link 2 → Use Link 1 (still works → persistence)

2#7 Tokens should be single-use — token reuse

Request reset → Change password → Revisit same reset link (still works → reuse)

3High severity — reset token lifecycle failure

Impact: Attackers can reuse leaked or older reset URLs for account takeover.

Case 7

8. Missing Session Validation on Sensitive Endpoints

2 commands

1#1 Steps: If request still succeeds, endpoint doesn't validate session properly

Login → Intercept profile update in Burp Suite → Logout → Replay intercepted request

2High severity — server trusts cookie existence without validation

Impact: Attackers may perform actions after logout using captured requests.

Case 8

9. Session Fixation

2 commands

1#1 Steps: If session ID is unchanged, fixation exists

Visit login page → Record session ID → Login → Check if session ID changed

2High severity — session ID must rotate on login

Impact: Attackers can predefine session IDs and hijack accounts after victim logs in.

Case 9

10. Concurrent Session Limit Bypass

3 commands

1#1 Test with manual browsers

Login on Browser A → Login on Browser B → Check if Browser A is terminated

2#2 Automated testing with Burp Intruder

Use Burp Intruder with parallel login requests to bypass concurrent limits

3Medium severity — missing session enforcement

Impact: Attackers may remain hidden while victims actively use the account.

Case 10

11. Missing Session Rotation After Privilege Change

2 commands

1#1 Steps: If session ID stays the same, rotation is missing

Login as normal user → Record session ID → Upgrade privileges → Check if session changed

2High severity — privilege escalation via session reuse

Impact: Attackers with stolen sessions inherit elevated privileges.

Case 11

12. Infinite Session Duration

2 commands

1#1 Steps: If still valid after extended period, session never expires

Login → Save session cookie → Wait hours or days → Reuse same cookie

2High severity — no absolute session timeout

Impact: Attackers may maintain long-term access without re-authentication.

Case 12

13. Weak Remember-Me Token

2 commands

1#1 Steps: If login is restored, token is reusable static value

Enable 'Remember Me' → Save token → Logout → Restore token

2Medium severity — static remember-me tokens

Impact: Persistent unauthorized access if token is stolen.

Case 13

14. JWT Misconfiguration

2 commands

1#1 Steps: If access still works, token revocation is missing

Login and capture JWT → Logout → Replay token using Burp Suite or Postman

2Critical severity — no JWT invalidation mechanism

Impact: JWTs become permanent access keys. No server-side blacklist or expiry check.

Case 14

Common Testing Tools & Cookies

4 commands

1Intercept, modify, replay requests for session testing

Burp Suite — https://portswigger.net/burp

2Decode and debug JWT tokens

JWT.io — https://jwt.io

3View, edit, delete cookies for session manipulation

EditThisCookie — Browser extension

4Common sensitive cookies to inspect during testing

Case 15

Conclusion

1 commands

1Test these behaviors during: Web application pentesting, Bug bounty hunting, Secure code reviews

Weak session management is one of the most common causes of account takeover. Simple implementation mistakes can lead to persistent access, token abuse, session hijacking, privilege escalation, and full account compromise.

Tools

Tools & Resources

Burp Suite

Industry-standard proxy for intercepting and testing session handling

JWT.io

Online JWT decoder and debugger for token inspection

EditThisCookie

Browser extension for managing and manipulating cookies

PortSwigger — Session Management Research

Comprehensive guide to authentication and session vulnerabilities

Auth & Session Vulns

A practical guide to testing common authentication and session-related vulnerabilities in modern web applications. Session flaws, token mismanagement, logic bugs, and account takeover techniques.

16 Categories36 CommandsCopy Ready

Intro

Introduction

1 commands

1Modern applications rely heavily on sessions, tokens and identity checks. When implemented incorrectly, attackers may bypass restrictions or fully take over accounts.

A practical guide to testing common authentication and session-related vulnerabilities in modern web applications.

Case 1

1. Old Session Does Not Expire After Password Change

2 commands

1#1 Steps: If Browser B remains authenticated, the issue exists

Create an account → Login from two browsers → Change password in Browser A → Refresh Browser B

2Critical severity — session invalidation failure

Impact: An attacker with a stolen session can maintain access even after the victim changes their password.

Case 2

2. Failure to Invalidate Session on Logout

2 commands

1#1 Steps: If access is restored without login, session remains valid server-side

Login → Copy session cookies (EditThisCookie / Cookie Editor) → Logout → Restore copied cookies → Refresh

2High severity — missing server-side invalidation

Impact: Stolen cookies can be reused indefinitely.

Case 3

3. Browser Cache Weakness (Back Button)

4 commands

1#1 Steps: If sensitive data is still visible, cache controls are missing

Login → Visit sensitive pages (Profile, Billing, Settings) → Logout → Press browser Back button

2Medium severity — missing Cache-Control headers

Impact: Attackers on shared devices may access private user data.

3Header to prevent page caching

Cache-Control: no-store

4Additional cache prevention headers

Cache-Control: no-cache, Pragma: no-cache

Case 4

4. Email Verification Bypass

2 commands

1#1 Steps: If Email A becomes verified automatically, bypass exists

Register with Email A (don't verify) → Change email to Email B → Verify Email B → Change back to Email A

2Medium severity — verification logic flaw

Impact: Attackers may verify emails they do not own, leading to account abuse.

Case 5

5. Email Verification Swap Attack

2 commands

1#1 Steps: If Email B becomes verified, vulnerability exists

Register with Email A → Receive verification link → Change email to Email B → Click old link

2High severity — verification link tied to email, not user

Impact: Pre-account takeover, Domain verification bypass, Account abuse

Case 6

6-7. Password Reset Token Issues

3 commands

1#6 Old tokens remain valid after newer requests — token persistence

Request Reset Link 1 → Request Reset Link 2 → Use Link 1 (still works → persistence)

2#7 Tokens should be single-use — token reuse

Request reset → Change password → Revisit same reset link (still works → reuse)

3High severity — reset token lifecycle failure

Impact: Attackers can reuse leaked or older reset URLs for account takeover.

Case 7

8. Missing Session Validation on Sensitive Endpoints

2 commands

1#1 Steps: If request still succeeds, endpoint doesn't validate session properly

Login → Intercept profile update in Burp Suite → Logout → Replay intercepted request

2High severity — server trusts cookie existence without validation

Impact: Attackers may perform actions after logout using captured requests.

Case 8

9. Session Fixation

2 commands

1#1 Steps: If session ID is unchanged, fixation exists

Visit login page → Record session ID → Login → Check if session ID changed

2High severity — session ID must rotate on login

Impact: Attackers can predefine session IDs and hijack accounts after victim logs in.

Case 9

10. Concurrent Session Limit Bypass

3 commands

1#1 Test with manual browsers

Login on Browser A → Login on Browser B → Check if Browser A is terminated

2#2 Automated testing with Burp Intruder

Use Burp Intruder with parallel login requests to bypass concurrent limits

3Medium severity — missing session enforcement

Impact: Attackers may remain hidden while victims actively use the account.

Case 10

11. Missing Session Rotation After Privilege Change

2 commands

1#1 Steps: If session ID stays the same, rotation is missing

Login as normal user → Record session ID → Upgrade privileges → Check if session changed

2High severity — privilege escalation via session reuse

Impact: Attackers with stolen sessions inherit elevated privileges.

Case 11

12. Infinite Session Duration

2 commands

1#1 Steps: If still valid after extended period, session never expires

Login → Save session cookie → Wait hours or days → Reuse same cookie

2High severity — no absolute session timeout

Impact: Attackers may maintain long-term access without re-authentication.

Case 12

13. Weak Remember-Me Token

2 commands

1#1 Steps: If login is restored, token is reusable static value

Enable 'Remember Me' → Save token → Logout → Restore token

2Medium severity — static remember-me tokens

Impact: Persistent unauthorized access if token is stolen.

Case 13

14. JWT Misconfiguration

2 commands

1#1 Steps: If access still works, token revocation is missing

Login and capture JWT → Logout → Replay token using Burp Suite or Postman

2Critical severity — no JWT invalidation mechanism

Impact: JWTs become permanent access keys. No server-side blacklist or expiry check.

Case 14

Common Testing Tools & Cookies

4 commands

1Intercept, modify, replay requests for session testing

Burp Suite — https://portswigger.net/burp

2Decode and debug JWT tokens

JWT.io — https://jwt.io

3View, edit, delete cookies for session manipulation

EditThisCookie — Browser extension

4Common sensitive cookies to inspect during testing

Case 15

Conclusion

1 commands

1Test these behaviors during: Web application pentesting, Bug bounty hunting, Secure code reviews

Weak session management is one of the most common causes of account takeover. Simple implementation mistakes can lead to persistent access, token abuse, session hijacking, privilege escalation, and full account compromise.

Tools

Tools & Resources

Burp Suite

Industry-standard proxy for intercepting and testing session handling

JWT.io

Online JWT decoder and debugger for token inspection

EditThisCookie

Browser extension for managing and manipulating cookies

PortSwigger — Session Management Research

Comprehensive guide to authentication and session vulnerabilities